[openssl-users] Rejecting SHA-1 certificates

Niklas Keller me at kelunik.com
Mon Jul 10 17:12:08 UTC 2017


>
> > On Jul 10, 2017, at 3:45 AM, Niklas Keller <me at kelunik.com> wrote:
> >
> >
> > What's the best way / a working way to reject weak signature schemes in
> OpenSSL 1.0.{1,2}?
>
> Most CAs have stopped issuing SHA-1 certificates.  Any old ones will
> expire over the
> next year or two.  While Google has demonstrated a SHA-1 collision, that
> proof of
> concept is far from a practical attack.
>

Actually they should already be expired, all major browsers will reject
them already, even Edge.


> The simplest solution is to let the CAs solve the problem as SHA-1
> certificates fade
> out of the picture.  You can if you wish leave out from the set of trusted
> roots any
> CAs that have not yet stopped issuing SHA-1 certificates.
>

CAs can't solve the problem that we accept certificates with weak
signatures.


> You can of course implement a verify callback that inspects each
> certificate in the
> chain, and triggers an error when its signature is SHA-1 and it is not the
> last one
> in the chain.  This requires keeping some state attached to the X509 store
> context,
> and I don't think is worth the effort.
>

It's very well worth the effort, otherwise there's a security issue,
because certificates can be forged.

Regards, Niklas


> See code involving "TLScontext_index" in:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_client.c#L318
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_client.c#L942
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_verify.c#L163
>
> With such a context, you can keep track of the maximum depth seen by the
> callback,
> and reject SHA-1 at lower depths.  I do not recommend doing this.
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170710/ad356e9a/attachment.html>


More information about the openssl-users mailing list